6 min read time

Detecting Ransomware Attacks via Artificial Intelligence-Based Technology for Your Data Backup and Restore Environment

by   in Portfolio

1.   Introduction

In this blog post I will explain how Artificial Intelligence can be used to detect ransomware and other attacks on IT infrastructure to be able to quickly react to digital threats and take appropriate countermeasures.

In the digital age, data is the lifeblood of businesses and individuals alike. The importance of data backup cannot be overstated. It serves as a safety net, safeguarding valuable information from potential threats such as hardware failures, natural disasters, or cyber-attacks like ransomware. Backups ensure that even in the face of such adversities, the integrity and availability of data remain uncompromised. They provide a reliable pathway to data recovery, minimizing downtime, and preventing the irrevocable loss of critical information. In essence, data backups are not just an insurance policy for our digital assets, but a critical component in any comprehensive data management strategy.

Ransomware is a type of malicious software, or malware, that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. The motive for ransomware attacks is nearly always monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, to protect the cybercriminal's identity. Ransomware is particularly harmful because it not only prevents users from accessing their files, but also threatens the permanent loss of those files if the ransom is not paid in time. Even if the ransom is paid most victims cannot recover all their digital assets.

2.   Understanding Ransomware Attacks

Ransomware operates by infiltrating a system through various means, such as phishing emails or exploiting vulnerabilities in software. Once inside, it encrypts the user's files, effectively locking them out of their own data. The encryption used is typically strong and practically impossible to break without the decryption key. The attacker then presents a ransom note, often displayed when the user logs in or tries to access their files. This note contains instructions on how to pay the ransom, usually demanded in a form of cryptocurrency like Bitcoin to maintain the attacker's anonymity. It's important to note that paying the ransom does not guarantee the return of the data. In fact, it encourages malicious activity by making it profitable.

Ransomware attacks can have a devastating impact on data backups. The primary purpose of backups is to provide a way to restore data in the event of its loss. However, ransomware attacks can render these backups useless. Some sophisticated ransomware strains are designed to target backup files and backup software, encrypting them along with the primary data. This leaves businesses without the safety net of their backups, making the impact of the attack even more severe. Furthermore, if backups are not properly isolated from the network, ransomware can spread to these systems, encrypting and potentially destroying backup data. This underscores the importance of secure backup practices, such as maintaining offline backups or using immutable backup storage, to protect against ransomware threats.

3. The Role of Artificial Intelligence in Cybersecurity

Artificial Intelligence (AI) plays a pivotal role in cybersecurity, providing an essential line of defense against increasingly sophisticated cyber threats. AI algorithms can be trained to recognize patterns and anomalies in data, enabling them to detect malicious activities or breaches that a human might miss. Machine learning, a subset of AI, can be used to analyze vast amounts of data and learn from it, improving its detection capabilities over time. This allows for real-time threat detection and response, significantly reducing the potential damage from a cyber-attack. Furthermore, AI can be used to predict future attacks based on patterns identified in past data, providing proactive security measures. However, while AI offers significant benefits in cybersecurity, it's also important to be aware of the potential risks and challenges, such as the use of AI by malicious actors to carry out more sophisticated attacks.

Artificial Intelligence (AI) brings numerous benefits to the field of anomaly detection. Firstly, AI can process and analyze vast amounts of data at a speed and scale far beyond human capabilities. This allows for real-time detection of anomalies, significantly reducing the time between the occurrence of an anomaly and its detection. Secondly, AI systems can be trained to learn from the data they analyze. This means they can adapt to new types of anomalies and improve their detection capabilities over time. Thirdly, AI can identify subtle patterns and correlations that may be overlooked by human analysts. This can lead to the detection of complex or sophisticated anomalies that might otherwise go unnoticed. Lastly, the use of AI can free up human analysts to focus on higher-level tasks, such as interpreting the results of anomaly detection and deciding on the appropriate response.

4.   AI for Detecting Anomalies in Backups

Anomalies in backups can serve as critical indicators of a ransomware attack. Ransomware, by its nature, alters data by encrypting it, and these changes can be detected as anomalies. For instance, a sudden increase in the amount of changed data in a backup could indicate that files are being modified by ransomware encryption. Similarly, repeated failures in backup processes could be a sign that ransomware is interfering with normal operations.

Moreover, if files that are usually static and rarely change (like system files or old data) start showing modifications, it could be a sign of ransomware activity. Also, the presence of known ransomware file extensions or ransom notes in a backup can be a clear indication of an attack.

It's important to note that while these anomalies can suggest a ransomware attack, they could also be due to other factors. Therefore, any anomaly detection should be part of a broader, multi-layered cybersecurity strategy. It's always recommended to investigate these anomalies promptly to mitigate potential threats.

5.   OpenText Data Protector uses AI for detecting anomalies in backups

Data Protector uses machine learning to detect anomalies in backups that could indicate ransomware attacks and other malicious digital activities. Unusual activities are being presented on the Data Protector dashboard and should be verified immediately.


Figure 1: Data Protector dashboard showing anomalies in the bottom right area of the dashboard.

Administrators can now simply click on the anomalies to be taken to the anomalies details page. From the details page administrators see why an activity is marked as anomaly and can verify if that is expected behavior or could be a malicious activity.


Figure 2: Details of anomalies reported by Data Protector

Using Artificial Intelligence in Data Protector is quite easy. The only thing an administrator needs to do is to turn on anomaly detection. Once turned on, anomaly detection is enabled and the system reports anomalies on the Data Protector dashboard for human verification.

Figure 3: Data Protector admin screen for turning on AI based anomaly detection

6.   Benefits of Data Protector anomaly detection

Anomaly detection integrated into data backup and restore systems eliminates the need of additional licenses and cost for ransomware detection software. Administrators can react very quickly on detected threats and take the countermeasures needed to keep all system healthy. Data Protector not only detects ransomware but also other attacks that might be triggered by employees or other bad actors.

Anomaly detection is available in Data Protector 24.1.  



Request a free trial of OpenText Data Protector 

Learn more about Cloud data backup and restore 

Read about data backup and resiliency 


Data Protection